5:30 When the code appears is on Yubico authenticator app, you just need to CTRL+V because once you touch the Yubikey the code is copied to memory Very nice video by the way
Excellent! As an IT guy, I actually have a policy of not allowing people to put business apps on their personal phones and devices. There is a higher tier of employee that have personal devices paid for by the company, but those are business owners... For everyone else, no. They are allowed to have skype accounts on their personal phones and other messenger apps for internal communications like "where to eat lunch", but we don't use business skype accounts (because Skype for Business was a trash fire since the day it came out), so mfa is not needed. MFA is oddly a mix of consumer product ideas with business accounts. The fact that you can't turn it off is inappropriate and horrendous policy in my books. Most of my computers are just fine with Desktop PC + land line system, but some computers can get really complicated. When we have staff that goes to visit factories for example, the user might have a laptop and a desktop. So they take their laptop with them to the factory and have to use the MFA, which is tied to the land line... back at the office.... Not a big deal during office hours, but what if the person is doing a longer trip beyond office hours. They can't log into anything properly, while a phone back at the office, 150km away rings away with nobody to answer. Stupid. Microsoft's answer to this is that we should provide that person with a phone. Great. Because they don't want to make an option for opt-in we have to pay a few hundred bucks a year and fiddle around with contracts (also, there are special fraud laws here that require phones to be connected to a human's ID card number - even more of a pain in the ass). So this USB thing is great. Of course, they have to have a free USB port on their laptop, which many laptops don't have very many of.... and occasionally break when working laptops fall and take a beating... Still the best option would be to have this opt-in. I've got a computer in my office right now that is fun like this too. Desktop PC, could tie to MFA by land line at the warehouse, but the warehouse is about an hour's drive away. So if I want to go set it up, it's a minimum of 2 hours out of my day. So I have them bring the computer here for me to work on... but now it's also in the wrong place. Fiddly and annoying. There's no serious risk of this computer ever getting hacked or compromised. It's barely used for much of anything outside of emails, opening PDFs and Edrawings files from the boss and R&D departments. Pretty much everything is done internally through emails and Teams. So I could also tie it to a cell phone, but the warehouse manager is often not in the office, traveling from factories and supplier factories and partner factories to warehouse and back. All of these problems have workarounds, but it's a huge hassle and none of it would be necessary if Microsoft devs/mgmt actually had a sense of all the ways computers are used in business. It's almost like they assume everyone is now just spending all their time playing on IG and FB on their phones instead of working. Microsoft is getting increasingly distanced from their actual users and then makes decisions for us that we cannot make meaningful choices about our own company policy... Disturbing trend. I'll be setting up a USB security key for that computer, similar to what you've got here, but minus the ridiculous price tag for a USB key.
I really wish you would offer a full Office365 Admin/Security course!!!! Every time I look up a topic and see you did a video I get excited cause I know it's gonna be exactly what I need!!!
I'm curious, I wonder if it's possible to use one Yubikey for multiple accounts? I.e. multiple "public use" computers that have M365 accounts and the managers having one Yubikey and being able to deal with MFA when prompted?
Thanks for the video. Do you know if it's possible to use the key alongside the Microsoft authenticator as an additional method or is it one or the other?
Great video! Just wondering...I had my M365 account setup with MFA using Microsoft Authenticator, I changed it to use the Yubikey, works great. Noticed Outlook on my Android phone does not prompt for authentication, shouldn't it? I tried resetting the account in Outlook on my phone and it worked fine but has never asked me to authenticate on the Yubikey?
THanks for the Video, is the a way to do this with less userinput? Where I can just distribute the right key to the right person? We have about 300 people with half without an Business phone so I would love to do this without having to install this app and going through this setup with 150 people
@@DavidMartinez-z6m Sadly not much. If you can go the the Fido2 route you can bulk import them and set them up for the users. But if you have a business that need Terminal Server you are out of luck as RDP does not handle Fido2 and you have to manually activate the key for the users. So check on that, maybe Citrix doesn't have the fido2 issues
Hey Jonathan! Thanks for the video. What I would really like to do is enable Yubico 2FA when a password change attempt is made for Outlook account, do you know whether this option is possible?
Another great video - thanks! Currently our emergency ‘break glass’ account bypasses conditional access and does not have any MFA - would Yubikey be a good MFA solution for the break glass account?
5:30 When the code appears is on Yubico authenticator app, you just need to CTRL+V because once you touch the Yubikey the code is copied to memory
Very nice video by the way
Excellent!
As an IT guy, I actually have a policy of not allowing people to put business apps on their personal phones and devices. There is a higher tier of employee that have personal devices paid for by the company, but those are business owners... For everyone else, no.
They are allowed to have skype accounts on their personal phones and other messenger apps for internal communications like "where to eat lunch", but we don't use business skype accounts (because Skype for Business was a trash fire since the day it came out), so mfa is not needed.
MFA is oddly a mix of consumer product ideas with business accounts. The fact that you can't turn it off is inappropriate and horrendous policy in my books.
Most of my computers are just fine with Desktop PC + land line system, but some computers can get really complicated.
When we have staff that goes to visit factories for example, the user might have a laptop and a desktop. So they take their laptop with them to the factory and have to use the MFA, which is tied to the land line... back at the office.... Not a big deal during office hours, but what if the person is doing a longer trip beyond office hours. They can't log into anything properly, while a phone back at the office, 150km away rings away with nobody to answer. Stupid.
Microsoft's answer to this is that we should provide that person with a phone. Great. Because they don't want to make an option for opt-in we have to pay a few hundred bucks a year and fiddle around with contracts (also, there are special fraud laws here that require phones to be connected to a human's ID card number - even more of a pain in the ass).
So this USB thing is great. Of course, they have to have a free USB port on their laptop, which many laptops don't have very many of.... and occasionally break when working laptops fall and take a beating...
Still the best option would be to have this opt-in.
I've got a computer in my office right now that is fun like this too. Desktop PC, could tie to MFA by land line at the warehouse, but the warehouse is about an hour's drive away. So if I want to go set it up, it's a minimum of 2 hours out of my day. So I have them bring the computer here for me to work on... but now it's also in the wrong place. Fiddly and annoying. There's no serious risk of this computer ever getting hacked or compromised. It's barely used for much of anything outside of emails, opening PDFs and Edrawings files from the boss and R&D departments. Pretty much everything is done internally through emails and Teams.
So I could also tie it to a cell phone, but the warehouse manager is often not in the office, traveling from factories and supplier factories and partner factories to warehouse and back.
All of these problems have workarounds, but it's a huge hassle and none of it would be necessary if Microsoft devs/mgmt actually had a sense of all the ways computers are used in business. It's almost like they assume everyone is now just spending all their time playing on IG and FB on their phones instead of working. Microsoft is getting increasingly distanced from their actual users and then makes decisions for us that we cannot make meaningful choices about our own company policy...
Disturbing trend.
I'll be setting up a USB security key for that computer, similar to what you've got here, but minus the ridiculous price tag for a USB key.
Thanks for your comment. The world of IT isn’t always black and white!
I really wish you would offer a full Office365 Admin/Security course!!!! Every time I look up a topic and see you did a video I get excited cause I know it's gonna be exactly what I need!!!
@@Kim-tr1fy It’s coming soon….
I'm curious, I wonder if it's possible to use one Yubikey for multiple accounts? I.e. multiple "public use" computers that have M365 accounts and the managers having one Yubikey and being able to deal with MFA when prompted?
Thanks for the video. Do you know if it's possible to use the key alongside the Microsoft authenticator as an additional method or is it one or the other?
Yes, I think you can
Great video! Just wondering...I had my M365 account setup with MFA using Microsoft Authenticator, I changed it to use the Yubikey, works great. Noticed Outlook on my Android phone does not prompt for authentication, shouldn't it? I tried resetting the account in Outlook on my phone and it worked fine but has never asked me to authenticate on the Yubikey?
@Johathan Edwards I hope not much has changed when it comes to do this under Entra!?
THanks for the Video, is the a way to do this with less userinput? Where I can just distribute the right key to the right person? We have about 300 people with half without an Business phone so I would love to do this without having to install this app and going through this setup with 150 people
Curious as to what you figured out?
@@DavidMartinez-z6m Sadly not much. If you can go the the Fido2 route you can bulk import them and set them up for the users. But if you have a business that need Terminal Server you are out of luck as RDP does not handle Fido2 and you have to manually activate the key for the users.
So check on that, maybe Citrix doesn't have the fido2 issues
If I setup the yubikey with the authenticator, will I be able to use it on a windows computer without it installed to login?
Yes
Hey Jonathan! Thanks for the video. What I would really like to do is enable Yubico 2FA when a password change attempt is made for Outlook account, do you know whether this option is possible?
Are you using Microsoft 365?
Impressive video, clear simple. Thanks
Another great video - thanks! Currently our emergency ‘break glass’ account bypasses conditional access and does not have any MFA - would Yubikey be a good MFA solution for the break glass account?
Yes, it would be.
Very helpful video
Thank you
@@bearded365guy Well come
Interesting that office 365 doesn't support smart card login directly. I guess they want people to use their authenticator app.
all well and good until the youbico authenticator doesn't have add account
Too bad it won't work with the key directly but thanks for the video. At least now I have it working.
When the next video coming....?
Can we connect and talk on social media?